Microsoft’s updates for July's Patch Tuesday fix 86 CVEs, including two vulnerabilities in their Chromium-based Edge browser that were patched earlier in the month.
One 0-day vulnerability has been patched: CVE-2022-22047 affects all currently supported versions of Microsoft’s pervasive operating system. This is an elevation-of-privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), a critical service that is often impersonated by malware. An attacker with an already-existing foothold can exploit this vulnerability to gain SYSTEM-level privileges. Two similar vulnerabilities in CSRSS (CVE-2022-22049 and CVE-2022-22026) were also fixed, likely as a result of Microsoft’s investigation into the in-the-wild exploitation of CVE-2022-22047.
Four critical remote code execution (RCE) vulnerabilities were fixed today. CVE-2022-22029 and CVE-2022-22039 affect network file system (NFS) servers, and CVE-2022-22038 affects the remote procedure call (RPC) runtime. Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later. CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.
Over a third of today’s vulnerabilities (a whopping 32 CVEs) affect their Azure Site Recovery offering. Anyone making use of this VMWare-to-Azure backup solution should be sure to upgrade to version 9.49 of the Microsoft Azure Site Recovery Unified Setup, available in Update rollup 62.
Summary charts
Summary tables
Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-33676 | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-33678 | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-33674 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-33675 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-33677 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-30181 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33641 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33643 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33655 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33656 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33657 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33661 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33662 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33663 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33665 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33666 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33667 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33672 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33673 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-33642 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33650 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33651 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33653 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33654 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33659 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33660 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33664 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33668 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33669 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33671 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-33652 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes |
| CVE-2022-33658 | Azure Site Recovery Elevation of Privilege Vulnerability | No | No | 4.4 | Yes |
Azure Microsoft Dynamics vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-30187 | Azure Storage Library Information Disclosure Vulnerability | No | No | 4.7 | Yes |
Browser vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-2295 | Chromium: CVE-2022-2295 Type Confusion in V8 | No | No | N/A | Yes |
| CVE-2022-2294 | Chromium: CVE-2022-2294 Heap buffer overflow in WebRTC | No | No | N/A | Yes |
Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-33633 | Skype for Business and Lync Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-33632 | Microsoft Office Security Feature Bypass Vulnerability | No | No | 4.7 | Yes |
System Center vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-33637 | Microsoft Defender for Endpoint Tampering Vulnerability | No | No | 6.5 | Yes |
Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-33644 | Xbox Live Save Service Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-22045 | Windows.Devices.Picker.dll Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30222 | Windows Shell Remote Code Execution Vulnerability | No | No | 8.4 | Yes |
| CVE-2022-30216 | Windows Server Service Tampering Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-22041 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 6.8 | Yes |
| CVE-2022-30214 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-22031 | Windows Credential Guard Domain-joined Public Key Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30212 | Windows Connected Devices Platform Service Information Disclosure Vulnerability | No | No | 4.7 | Yes |
| CVE-2022-22711 | Windows BitLocker Information Disclosure Vulnerability | No | No | 6.7 | Yes |
| CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-27776 | HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data | No | No | N/A | Yes |
| CVE-2022-30215 | Active Directory Federation Services Elevation of Privilege Vulnerability | No | No | 7.5 | Yes |
Windows ESU vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|
| CVE-2022-30208 | Windows Security Account Manager (SAM) Denial of Service Vulnerability | No | No | 6.5 | No |
| CVE-2022-30206 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30226 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.1 | Yes |
| CVE-2022-22022 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.1 | Yes |
| CVE-2022-22023 | Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-22029 | Windows Network File System Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-22039 | Windows Network File System Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-22028 | Windows Network File System Information Disclosure Vulnerability | No | No | 5.9 | Yes |
| CVE-2022-30225 | Windows Media Player Network Sharing Service Elevation of Privilege Vulnerability | No | No | 7.1 | Yes |
| CVE-2022-30211 | Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-21845 | Windows Kernel Information Disclosure Vulnerability | No | No | 4.7 | Yes |
| CVE-2022-22025 | Windows Internet Information Services Cachuri Module Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE-2022-30209 | Windows IIS Server Elevation of Privilege Vulnerability | No | No | 7.4 | Yes |
| CVE-2022-22042 | Windows Hyper-V Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-30223 | Windows Hyper-V Information Disclosure Vulnerability | No | No | 5.7 | Yes |
| CVE-2022-30205 | Windows Group Policy Elevation of Privilege Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-30221 | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-22034 | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30213 | Windows GDI+ Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-22024 | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22027 | Windows Fax Service Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22050 | Windows Fax Service Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22043 | Windows Fast FAT File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30220 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22026 | Windows CSRSS Elevation of Privilege Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-22047 | Windows CSRSS Elevation of Privilege Vulnerability | Yes | No | 7.8 | Yes |
| CVE-2022-22049 | Windows CSRSS Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-30203 | Windows Boot Manager Security Feature Bypass Vulnerability | No | No | 7.4 | Yes |
| CVE-2022-22037 | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-30202 | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-30224 | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-22036 | Performance Counters for Windows Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-22040 | Internet Information Services Dynamic Compression Module Denial of Service Vulnerability | No | No | 7.3 | Yes |
| CVE-2022-22048 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.1 | Yes |
| CVE-2022-23825 | AMD: CVE-2022-23825 AMD CPU Branch Type Confusion | No | No | N/A | Yes |
| CVE-2022-23816 | AMD: CVE-2022-23816 AMD CPU Branch Type Confusion | No | No | N/A | Yes |
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
